How to authorise an API user without using client secret

Hello! I use auth0 to authenticate users on a webapp and now I’m looking to do the same for users using an API via their own code or a CLI.

I’ve followed the python API tutorial but as far as I can see the user still needs an access token in order to authorise any requests which requires the user to know both the client id and client secret. This confuses me as my understanding of client secrets is that they should not be shared with untrusted parties.

I have also looked into storing the client id and client secret within my API and then using a users username and password to request an access token internally within the API. My concern with this approach the security of a user passing their details over the wire and through my API. Maybe it’s a serious lack of understanding on the complexities of this scenario but I expected the authorisation interaction to be directly between user and auth0 much like it is in the webapp authorisation flow.

So my main question is what is the standard protocol here?

But more specifically is there some mechanism by which users can request an access token using their username and password which isn’t the browser based login window that I’ve missed? Or is there some reason that I should be hosting user authorisation for an API and not a webapp?

Thanks!
H

Hi @harry6,

Welcome to the Auth0 Community!

I understand that you want to give a third party access to an API you manage. This is sometimes done with an API. In the context of Auth0, we would use client credentials instead of an API key (this is the OAuth2 way of doing things). For this, we would issue a set of client credentials to each user/developer, and mark those credentials as third party.

This is covered more extensively here:

You should also be aware of the entity limits of your subscription type. Scaling this solution will likely require higher application/client entity limits.

Hi Dan Woda - Sorry for the late reply!

Thanks for getting back to me on this. My issue was that I didn’t understand that the machine-to-machine applications required to generate client ID credentials are unique for each user. Your explanation made this clear to me so thanks a lot!

Harry

1 Like

Thanks for following up!